PDP
Sjoerd Mullender
IOCCC
0x9
ANSI C
PDP-11
eBay
VAX-11
OS
branch’
segments’
ASCII
duty’
SimH.I
Double YikesYes
the VU
Free University
CS
Don Libes
Robbert van Renesse
Sjoerd
Usenet
portable”.To
Debugger’
No matching tags
0x8
Windows
Android Debug Bridge
Amsterdam
No matching tags
I want to give a huge thank you to Sjoerd Mullender and Don Libes for their assistance and permission in reproducing some of this material.Because older obfuscated programs tend to be easier to dissect I decided to stay in the early years of the IOCCC (International Obfuscated C Code Contest). Among those early programs one sticks out as truly interesting - and that is the first IOCCC winner mullender.c, which I’ve also replicated below because it’s quite short. From this hint, we can learn a few things necessary to understanding how the program works:Essentially, the program is a bunch of machine code instructions encoded in various formats. Well, you can actually set up a cross compiler for the PDP-11 and if you go through that effort you can use the objdump program targeted at PDP-11 binaries.Below is the relevant portion of the objdump - the whole thing is here, but not all of it is useful. the program which we will get back to. (It’s also not proper VAX code since the disassembler thinks everything is PDP-11).Before going further there are 2 important things to know about PDP-11 assembly code:The first number in the original program is 277, put that into a hex converter and you’ll get 115 like we see in the objdump. Cool!Now that we know how the branch works we can examine the main stuff - I won’t go into huge depth with the manuals for each little instruction but doing so is fun if you’re bored and enjoy that sort of thing.The next relevant portion of code is this:We move the program counter into the r4 register and then use the ‘test’ (tst) instruction. asking about the workings of this call internally - I recommend checking it out if you want further clarity on how this works.After this we have the final 3 lines of PDP code which are:We put 1000 into r2, and call system call 55. and Sjoerd states that these 3 lines were only included to introduce a slight delay to the program (presumably for more legible printing on the screen).Finally, after the delay has delayed things, we branch back up to 0x2c and the fun begins all over again.So that’s all well and good. This is why we move the program counter (pc) into r4 and then decrement it by 2 and subtract 9 - the string is 9 bytes long. of the beginning of the string in r4.This also demonstrates why the PDP-11 objdump file is only partly useful, it interprets these bytes as instructions when they are not. No gif of this one running - it looks exactly the same as last time.The assembly code for the VAX program is unhelpful, much like the PDP assembly code. I wish I could explain what the bit after the PDP code does but it seems like no one has a good idea.To close this out, here is the story of the program. we could use the same technique for an obfuscated C program. Our program is idempotent under cb.Throughout the course of this research Sjoerd mentioned to me a book from the early 90s called “Obfuscated C and Other Mysteries” by Don Libes. No, this book is interesting because it contains original source code for the PDP and VAX programs as well as the C program that generated the mullender.c submission.
As said here by